Bug #173
closed
new request for detecting duplicate sig on suricata
Added by rmkml rmkml over 14 years ago.
Updated over 14 years ago.
Description
Hi,
If possible, could you add detecting for duplicate sig please?
for example, if I add two file contains same sig, like:
...
- snmp.rules
...
- snmp.rules
...
actually, all sigs in theses files (snmp.rules) generating two alerts...
(Im discover this by error in my test conf)
Maybe it's a good idea for detecting this.
Tested on suricata today git (79443b1991840930ded4b8f09ba6de7b000912d9).
Regards
Rmkml
Files
- Due date set to 06/21/2010
- Status changed from New to Assigned
- Assignee set to Anoop Saldanha
- Target version set to 0.9.3
- Estimated time set to 4.00 h
Anoop, can you filter out the dub sigs in the signature ordering process? The sig with the highest rev should be used.
Victor Julien wrote:
Anoop, can you filter out the dub sigs in the signature ordering process? The sig with the highest rev should be used.
ya, cool!
patch attached against bb9c5ef32f8e8719763678db022064f5f717b1c2
- Due date changed from 06/21/2010 to 06/27/2010
- Target version changed from 0.9.3 to 1.0.0
- % Done changed from 0 to 50
- Estimated time changed from 4.00 h to 7.00 h
Thanks Anoop. I'd like to see one change. I want all the duplicate checking logic to be hidden from the normal signature initialization code, especially from DetectEngineAppendSig. In that function I'd like to see just a check like "if (SignatureIsDuplicate(s) == TRUE) { goto free_sig; }". The gory details of the SigWrapper, hash table, etc. can then be hidden all behind that call.
Attached a new patch. Separated the details from AppenedSig into a separate one.
- Status changed from Assigned to Closed
- % Done changed from 50 to 100
Patch applied, thanks Anoop.
Also available in: Atom
PDF